Technology & Science

Malicious hackers say they demanded $50,000 ransom for stolen Bell data

After 1.9 million email addresses were stolen from Bell's system, a person using the online handle "exodus" claimed to be one of two people behind the theft.

A person using the handle 'exodus' claimed responsibility for the theft of 1.9 million email addresses

Bell apologized to its customers last week after 1.9 million email addresses and approximately 1,700 names and phone numbers were stolen from the company's systems and posted online. (Shutterstock, Galit Rodan/Canadian Press)

A pair of malicious hackers say they demanded that Bell pay a $50,000 US ransom to prevent stolen customer data from being shared online, according to a person claiming responsibility for the theft.

That person — who communicated with CBC News via encrypted chat using the handle "exodus" — says a ransom email was sent to Bell on May 5, detailing the extent of the breach and the thieves' terms.

Bell apologized to its customers last week after 1.9 million email addresses and approximately 1,700 names and phone numbers were stolen from the company's systems and posted online. Links to the data were then shared across social media.

"We were literally inside Bell's networks with access to everything," exodus told CBC News. "It could have been much worse for them."

Even after the breach was revealed, exodus claimed to still have access to Bell servers, and to have stolen additional data that could still be leaked — in particular, "all passwords for Bell customers." They were unable to offer any supporting proof.

Bell previously told customers that "there is no indication that any financial, password or other sensitive personal information was accessed."

Bell's director of communications Marc Choma declined to comment on any of exodus's claims, which could not be independently verified by CBC News. He previously told Reuters that "a demand for payment was made by the hacker, but it was not paid."

A Bell spokesperson has said that 'a demand for payment was made by the hacker, but it was not paid.' (Galit Rodan/Canadian Press)

The breach is the latest in a string of high-profile malicious hacks that have held large corporations' data for ransom.

In April, a person or group who went by the name "thedarkoverlord" leaked the latest season of the Netflix TV series Orange Is the New Black, more than a month before its premiere, after the streaming service declined to pay up.

And earlier this month, it was reported that Disney's upcoming film Pirates of the Caribbean: Dead Men Tell No Taleshad also been stolen and held for an unspecified ransom, though it's unclear if the two attacks are related. The movie hasn't yet been leaked.

More recently, companies and individuals continue to grapple with the fallout from the WannaCry ransomware attack, which held hostage hundreds of thousands of computers around the globe, before malware researchers curtailed its rapid spread.

'They have many security vulnerabilities'

CBC News made initial contact with exodus through an account called "exodusbell" on the website Reddit.

The account was created last Monday — the day the breach was made public — and it made three posts in the hours before Bell issued a statement confirming the breach. 

Each post was titled "Bell.ca Media leak. Be warned Bell," which sent visitors to a website with a message from the thieves, before linking to yet another website that hosted the leaked files.

The timing of the posts — which appeared to be the first to publicly link to the leaked material — suggest they were likely shared by the malicious hackers themselves, or by someone on their behalf.

According to an email that exodus shared with CBC News, the pair demanded Bell send $50,000 US in bitcoin within 14 days of the email's receipt. In exchange, they claimed they would honour a signed contract promising "video and cryptographical evidence" of the data being "securely deleted."

If Bell refused to co-operate, the pair would leak the stolen data online.

It "would be unfortunate if your customers had another reason to hate you," said the email to Bell, which linked to the same website that was later shared online, directing visitors to files containing the leaked data.

Exodus says Bell never responded — a fact Choma confirmed to Reuters last week.

It is not the first time that unauthorized users have breached Bell's systems and leaked customer information. In 2014, the RCMP charged a Quebec youth after a Bell contractor was breached and 22,421 user names and passwords, as well as five valid credit card numbers, were posted online.

"They really don't care about their customers," exodus said. "They have many security vulnerabilities."

Some hackers will report vulnerabilities they find to companies — sometimes in exchange for payment, or for altruistic reasons — but try to avoid doing things that might be deemed illegal, such as taking user data. The Bell breach does not appear to be one of those cases, as exodus says their actions were "highly financially motivated."

"Unlike the kids last time, we have owned them, and no [law enforcement] creeping about," exodus said.

The account stopped responding to messages from CBC News late last week.

About the Author

Matthew Braga

Senior Technology Reporter

Matthew Braga is the senior technology reporter for CBC News, where he covers stories about how data is collected, used, and shared. You can contact him via email at matthew.braga@cbc.ca. For particularly sensitive messages or documents, consider using Secure Drop, an anonymous, confidential system for sharing encrypted information with CBC News.